1. 拓扑结构更新与设备接口分配
根据提供的拓扑图,调整设备连接分配如图:
2. 防火墙基础配置调整
总部防火墙FW1
python
# 接口配置
interface GigabitEthernet1/0/1 # 连接LSW1(内网)
ip address 192.168.10.254 255.255.255.0
service-manage all permit
interface GigabitEthernet1/0/2 # 连接AR1(公网)
ip address 49.0.0.1 255.255.255.0
nat outbound 2001
# 安全区域
firewall zone trust
add interface GigabitEthernet1/0/1
firewall zone untrust
add interface GigabitEthernet1/0/2
# 默认路由
ip route-static 0.0.0.0 0.0.0.0 49.0.0.2分部/出差防火墙FW2
python
# 分部接口
interface GigabitEthernet1/0/1 # 连接LSW2(分部内网)
ip address 172.16.10.254 255.255.255.0
# 出差接口
interface GigabitEthernet1/0/3 # 连接LSW3(出差内网)
ip address 10.0.0.254 255.255.255.0
interface GigabitEthernet1/0/2 # 连接AR1(公网)
ip address 50.0.0.1 255.255.255.0
nat outbound 2001
# 默认路由
ip route-static 0.0.0.0 0.0.0.0 50.0.0.23. IPsec VPN配置
FW1(总部)
python
# IKE提议与对等体
ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
ike peer branch
pre-shared-key Huawei@123
ike-proposal 10
remote-address 50.0.0.1 # FW2公网IP
# IPsec策略与ACL
ipsec proposal ipsec_pro
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ipsec policy-map ipsec_pol 10
ike-peer branch
proposal ipsec_pro
security acl 3000
acl number 3000
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.10.0 0.0.0.255FW2(分部)
python
ike peer hq
pre-shared-key Huawei@123
ike-proposal 10
remote-address 49.0.0.1 # FW1公网IP
ipsec policy-map ipsec_pol 10
ike-peer hq
proposal ipsec_pro
security acl 3000
acl number 3000
rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.2554. SSL VPN配置
总部FW1
python
# 虚拟网关绑定公网接口
ssl vpn-gateway vg1
ip address 49.0.0.1 port 443
service enable
# 资源组包含总部内网资源
resource-group rg1
web-url "http://192.168.10.100" # 总部服务器
tcp-resource 1
address 192.168.10.200
port 3389
local-port 53389 # 映射远程桌面
# 用户认证配置
aaa
local-user user-remote password cipher Huawei@123
service-type sslvpn
access-limit 55. 路由器AR1公网路由配置
python
# 接口配置
interface GigabitEthernet0/0/0 # 连接FW1
ip address 49.0.0.2 255.255.255.0
interface GigabitEthernet0/0/1 # 连接FW2
ip address 50.0.0.2 255.255.255.0
# 静态路由
ip route-static 192.168.10.0 255.255.255.0 49.0.0.1
ip route-static 172.16.10.0 255.255.255.0 50.0.0.1
ip route-static 192.168.20.0 255.255.255.0 10.0.0.2546. 交换机LSW1/LSW2/LSW3配置(示例为LSW1)
python
# 默认VLAN 1,所有端口为access模式
vlan 1
interface Ethernet0/0/1 # 连接PC1
port link-type access
port default vlan 1
interface Ethernet0/0/3 # 连接FW1
port link-type access
port default vlan 17. 关键验证步骤
IPsec VPN验证
-
在FW1和FW2上检查SA状态:
bashdisplay ike sa display ipsec sa -
从分部PC2 ping 总部服务器:
bashPC2> ping 192.168.10.100
SSL VPN验证
-
出差用户PC3通过浏览器访问:
bashhttps://49.0.0.1使用用户名
user-remote和密码Huawei@123登录。 -
访问Web资源或通过远程桌面连接:
bashPC3> telnet 127.0.0.1 53389 # 测试映射的RDP端口
总结
本实验演示了VPN网络的搭建过程,涵盖IPsec与SSL VPN的配置、安全策略设计及故障排查方法。通过此实验,可深入理解以下知识点:
-
VPN技术在网络安全中的核心作用。
-
防火墙多区域安全策略的精细化控制。
-
NAT与VPN共存的解决方案。